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Formalising the :T-calculus is an illuminating test of the expressiveness of logical frameworks and 
mechanised metatheory systems, because of the presence of name binding, labelled transitions with 
name extrusion, bisimulation, and structural congruence. Formalisations have been undertaken in 
a variety of systems, primarily focusing on well-studied (and challenging) properties such as the 
theory of process bisimulation. We present a formalisation in Agda that instead explores the theory 
of concurrent transitions, residuation, and causal equivalence of traces, which has not previously 
been formalised for the ;T-calculus. Our formalisation employs de Bruijn indices and dependently- 
typed syntax, and aligns the "proved transitions” proposed by Boudol and Castellani in the context 
of CCS with the proof terms naturally present in Agda’s representation of the labelled transition 
relation. Our main contributions are proofs of the “diamond lemma” for residuation of concurrent 
transitions and a formal definition of equivalence of traces up to permutation of transitions. 


1 Introduction 

The ;T-calculus II18II19II is an expressive model of concurrent and mobile processes. It has been 
investigated extensively and many variations, extensions and refinements have been proposed, including 
the asynchronous, polyadic, and applied rr-calculus (among many others). The rr-calculus has also 
attracted considerable attention from the logical frameworks and meta-languages community, and 
formalisations of its syntax and semantics have been performed using most of the extant mechanised 
metatheory techniques, including (among others) Coq II13I fT^ [TSlI . Nominal Isabelle [|2|, Abella [jT] 
(building on Miller and Tiu II26II ). CLF [61, and Agda 112111 . These formalisations have overcome challenges 
that tested the limits of these systems (at least at the time), particularly relating to the encoding of name 
binding, scope extrusion and structural congruence. Indeed, some early formalisations motivated or led 
to important contributions to the understanding of these issues in different systems, such as the Theory 
of Contexts, or CLF’s support for monadic encapsulation of concurrent executions. 

Prior formalisations have typically considered the syntax, semantics (usually via a variation on 
labelled transitions), and bisimulation theory of the ;T-calculus. However, as indicated above, while 
these aspects of the ;T-calculus are essential, they only scratch the surface of the properties that could 
be investigated. Most of these developments have been carried out using informal paper proofs, and 
formalising them may reveal challenges or motivate further research on logical frameworks. 

One interesting aspect of the rr-calculus that has not been formally investigated, and remains to 
some extent ill-understood informally, is its theory of causal equivalence. Two transitions t -\, t 2 that can 
be taken from a process term p are said to be concurrent (fi ^ t 2 ) if they could be performed “in either 
order” — that is, if after performing t -\, there is a natural way to transform the other transition t 2 so that 
its effect is performed on the result of t -\, and vice versa. The translation of the second transition is said 
to be the residual of t 2 after t -\, written t 2 lU. The key property of this operation, called the “diamond 
lemma”, is that the two residuals t-\ /f 2 and t 2 lt-\ of transitions t-\ t 2 result in the same process. Finally, 
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permutation of concurrent transitions induces a causal equivalence relation on pairs of traces. This is the 
standard notion of permutation-equivalence from the theory of traces over concurrent alphabets II 1711 . 

Our interest in this area stems from previous work on provenance, slicing and explanation (e.g. II22II 1. 
which we wish to adapt to concurrent settings. Ultimately, we would like to formalise the relationship 
between informal “provenance graphs” often used informally to represent causal relationships 0 and 
the semantics of concurrent languages and traces. The n-calculus is a natural starting point for this 
study. We wish to understand how to represent, manipulate, and reason about n-calculus execution 
traces safely: that is, respecting well-formedness and causality. 

In classical treatments, starting with Levy II 1611 . a transition is usually considered to be a triple 
(e,t, e') where e and e' are the terms and t is some information about the step performed. Boudol and 
Castellani [l4| introduced the proved transitions approach for CCS in which the labels of transitions 
are enriched with more information about the transition performed. Boreale and Sangiorgi [|3|| and 
Degano and Priami 111 111 developed theories of causal equivalence for the n-calculus, building indirectly 
on the proved transition approach; Danos and Krivine 111 Oil and Cristescu, Krivine and Varacca [j8|| 
developed notions of causality in the context of reversible CCS and n-calculus respectively. However, 
there does not appear to be a consensus about the correct definition of causal equivalence for the 
n-calculus. For example, Cristescu et al. [jSj write “[in] the absence of an indisputable definition of 
permutation equivalence for [labelled transition system] semantics of the n-calculus it is hard to assert 
the correctness of one definition over another.” In their work on reversible n-calculus, they noted that 
some previous treatments of causality in the n-calculus did not allow permuting transitions within the 
scope of a v-binder, and showed how their approach would allow this. Moreover, none of the above 
approaches has been formalised. 

In this paper, we report on a new formalisation of the n-calculus carried out in the dependently- 
typed programming language Agda Il20ll . Our main contributions include formalisations of concurrency, 
residuation, the diamond lemma, and causal equivalence. We do not attempt to formalise the above 
approaches directly, any one of which seems to be a formidable challenge. Instead, we have chosen 
to adapt the ideas of Boudol and Castellani to the n-calculus as directly as we can, guided by the 
hypothesis that their notion of proved transitions can be aligned with the proof terms for transition 
steps that arise naturally in a constructive setting. For example, we define the concurrency relation 
on (compatibly-typed) transition proof terms, and we define residuation as a total function taking two 
transitions along with a proof that the transitions are concurrent, rather than having to deal with a 
partial operation. 

Our formalisation employs de Bruijn indices [[5]|, an approach with well-known strengths and 
weaknesses compared, for example, to higher-order or nominal abstract syntax techniques employed in 
existing formalisations. For convenience, we employ a restricted form of structural congruence called 
braiding congruence, and we have not formalised as many of the classical results on the n-calculus as 
others have, but we do not believe there are major obstacles to filling these gaps. To the best of our 
knowledge, ours is the first mechanised proof of the diamond lemma for any process calculus. 

The rest of the paper is organised as follows, ^presents our variant of the (synchronous) n- 
calculus, including syntax, renamings, transitions and braiding congruence, ^presents our definitions 
of concurrency and residuation for transitions, and discusses the diamond lemma, ^presents our 
definition of causal equivalence. ^ discusses related work in greater detail and ^ concludes and 
discusses prospects for future work. Appendix [A| summarises the Agda module structure; the source 
code can be found at https://github.com/rolyp/proof- relevant-pi, release 0.1. Appendix [^contains 
graphical proof-sketches for some lemmas, and Appendix [Cj some further examples of residuation. 
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2 Synchronous TT-calculus 

We present our formalisation in the setting of a first-order, synchronous, monadic 7r-calculus with 
recursion and internal choice, using a labelled transition semantics. The syntax of the calculus is 
conventional (using de Bruijn indices) and is given below. 


Name x,y,z 0 | 1 | ■ ■ ■ 


Process P,Q,R,S 0 

inactive 

Action a x 

input 

x.P 

input 

ny) 

output 

x(y).P 

output 

X 

bound output 

P+0 

choice 

T 

silent 

p\0 

parallel 



vP 

restriction 



!P 

replication 


Names are ranged over by x, y and z. An input action is written x. Output actions are written x(y) 
if y is in scope and x if the action represents the output of a name whose scope is extruding, in which 
case we say the action is a bound output. Bound outputs do not appear in user code but arise during 
execution. 

To illustrate, the conventional rr-calculus term (vx) x(z).y(z).0 | x(c).0 would be represented using 
de Bruijn indices as v(0.n -1-1 (0).0 | 0(m -|-1 ).0), provided that y and c are associated with indices n 
and m. Here, the first 0 represents the bound variable x, the second 0 the bound variable z, and the 
third refers to x again. Note that the symbol 0 denotes the inactive process term, not a de Bruijn index. 

Let r and A range over contexts, which are finite initial segments of the natural numbers. The 
function which extends a context with a new element is written as a postfix ■ -|-1. A context F closes P 
if r contains the free variables of P. We denote by Proc F the set of processes closed by F, as defined 
below. We write F F P to mean P G Proc F. Similarly, actions are well-formed only in closing contexts; 
we write a : Action F to mean that F is closing for a, as defined below. 

FF P 

F-h1FP FFP FFP FFQ FFP FFQ 

- - xgF -—— x,yGF -^ ^^ 

FFO FFx.P FFx(y).P FFP+Q FFP|Q 

F-h1 F P FFP 

FF vP FF !P 


a : Action F 


-- xG F 

X : Action F 


=-A F 

X : Action F 


x(y) : Action F 


X, y G F 


T: Action F 


To specify the labelled transition semantics, it is convenient to distinguish bound actions b from 
non-bound actions c. A bound action b : Action F is of the form x or x, and shifts a process from F to a 
target context F -P 1, freeing the index 0. A non-bound action c : Action F is of the form x(y) or t, and 
has a target context which is also F. Meta-variable a ranges over all actions, bound and non-bound. 
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2.1 Renamings 

A de Bruijn indices formulation of ;T-calculus makes extensive use of renamings. A renaming p : V —> A 
is any function (injective or otherwise) from V to A. The labelled transition semantics makes use of 
the lifting of the successor function ■ + 1 on natural numbers to renamings, which we call push to 
avoid confusion with the ■ + 1 operation on contexts; pop y which undoes the effect of push, replacing 
Ohy y; and swap, which transposes the roles of 0 and 1. This de Bruijn treatment of ;T-calculus is 
similar to that of Hirschkoff’s asynchronous ys calculus | I14| |. except that we give a late rather than 
early semantics; other differences are discussed in ^below. 


pushp: r —> r + 1 


popr : 


r + 1 


swapp 


p _i_ 2_> r + 2 


push X = X + ^ 


popyO = y 
pop y {x + ^) = X 


swap 0 = 1 
swap 1=0 
swap {x + 2) = x + 2 


The r subscripts that appear on pushp, popp x and swapp are shown in grey to indicate that they may 
be omitted when their value is obvious or irrelevant; this is a convention we use throughout the paper. 

2.1.1 Lifting renamings to processes and actions 

The functorial extension p* : Proc F —> Proc A of a renaming p : F —> A to processes is defined in the 
usual way. Renaming under a binder utilises the action of ■ + 1 on renamings, which is also functorial. 
Syntactically, p* binds tighter than any process constructor. 


:(F^A) 


Proc F 


Proc A 


:(F^A) 


Action F —> Action A 


p*0 = 0 

p*(x.P) = px.(p + 1)*P 
p*(x(y).P) = px(py).p*P 

p*{P+Q) = p*P + p*Q 
p*(P\Q) = p*P\p*Q 
p*[vP) = v(py^)*P 
p*(\P) = \p*P 


x = px 

p*x = ~^ 
p"" T = T 

p* Ay) = W{py) 


+ 1 :(F^A)^F + 1 


■ A+1 


(p + 1)0 = 0 

(p +1) (x +1) = px +1 


2.1.2 Properties of renamings 

Several equational properties of renamings are used throughout the development; here we present 
the ones mentioned elsewhere in the paper. Diagrammatic versions of the lemmas, along with string 
diagrams that offer a graphical intuition for why the lemmas hold, are given in Appendix]^ 
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Lemma 1. pop x o push = id 

Freeing the index 0 and then immediately substituting x for it is a no-op. 

Lemma 2. pop 0 o push -F 1 = id 

Lemma 3. swap -F 1 o swap o swap -F 1 = swap o swap -Flo swap 
The above are two equivalent ways of swapping indices 0 and 2. 

Lemma 4. pop 0 o swap = pop 0 

Lemma 5. swap o push -F 1 = push, swap o push = push -F 1 
Lemma 6. push o p = p -F1 o push 
Lemma 7. p o pop x = pop px o p -F 1 
Lemma 8. swap o p-\-2 = p-\-2o swap 

These last two lemmas assert various naturality properties of push, pop x and swap. 


2.2 Labelled transition semantics 

An important feature of our semantics is that each transition rule has an explicit constructor name. This 
allow derivations to be written in a compact, expression-like form, similar to the proven transitions used 
by Boudol and Castellani to define notions of concurrency and residuation for CCS ||4|. However, rather 

than giving an additional inductive definition describing the structure of a “proof” that P -> R, 

we simply treat the inductive definition of-> as a data type. This is a natural approach in a 

dependently-typed setting. 

The rule names are summarised below, and have been chosen to reflect, where possible, the structure 

of the process triggering the rule. The corresponding relation P -> R is defined in Figure for 

any process F h P, any a : Action F with target A G {F, F-F 1}, and any AFP. 


Transition E,F = 


X.P 


input on x 

x(y).P 


output y on X 

E+Q 

P+F 

choose left or right branch 

E°\Q 

P|°F 

propagate a through parallel composition on the left or right 

E\IF 

E’’! F 

rendezvous (receiving y on the left or right) 

vE 


initiate name extrusion 

E\IF 

E^'l E 

v \ ' 

extrusion rendezvous (receiving 0 on the left or right) 

v°E 


propagate a through binder 

\E 


replicate 


The constructor name for each rule is shown to the left of the rule. There is an argument position, 
indicated by •, for each premise of the rule. Note that there are two forms of the transition constructors 
■ “ I ■ and \/“ ■ distinguished by whether they are indexed by a bound action h or by a non-bound action 
c. Moreover there are additional (but symmetric) rules of the form P -F ■, P |^ ■ and P |^ ■ where the 
sub-transition occurs on the opposite side of the operator, and similarly • ■ and ■ y | • rules in which 

the positions of sender and receiver are transposed. These are all straightforward variants of the 
rules shown, and are omitted from Figure]^ for brevity. Meta-variables E and F range over transition 
derivations; if P : P —-—> P then src(P) denotes P and tgt(P) denotes P. 

Although a de Bruijn formulation of pi calculus requires a certain amount of housekeeping, one 
pleasing consequence is that the usual side-conditions associated with the ;T-calculus transition rules 
are either subsumed by syntactic constraints on actions, or “operationalised” using the renamings above. 
In particular; 
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P— 


■ HQ. 


^■P - F- 

x.P -^ 

P ^—>R 


P\Q 


R\Q 


x{y).P 


-/ \ D O 

x{y}.P -> P 


■ + Q- 


R 


P+Q 


R 


P 


R 


R Q 


P\Q 


R I push*Q 


P\Q 


(pop y)*R I S 




vP 


R 


P\Q 


R 


v{R I S) 


^ push*c ^ 

P— - > R 


vP 


vR 


push*/? 


R 


P\\P 


R 


vP 


v(swap*P) 


!P 


R 


Figure 1: Labelled transition rules (P + •, P •, P 1“^ • Jl • and • J| • variants omitted) 


1. The use of push in the • ^| Q rule corresponds to the usual side-condition asserting that the binder 
being propagated by P is not free in Q. In the de Bruijn setting every binder “locally” has the 
name 0, and so this requirement can be operationalised by rewiring Q so that the name 0 is 
reserved. The push will be matched by a later pop which substitutes for 0, in the event that the 
action has a successful rendezvous. 

2. The V- rule requires an extrusion to be initiated by an output of the form x + ^ (0), capturing the 
usual side-condition that the name being extruded on is distinct from the name being extruded. 

3. The rules of the form v“ require that the action being propagated has the form push*o, ensuring 
that it contains no uses of index 0. This corresponds to the usual requirement that an action can 
only propagate through a binder that it does not mention. 

The use of swap in the case follows Hirschkoff II1411 and has no counterpart outside of the de 
Bruijn setting. As a propagating binder passes through another binder, their local names are 0 and 1. 
Propagation transposes the binders, and so to preserve naming we rewire R with a “braid” that swaps 0 
and 1. Since binders are also reordered by permutations that relate causally equivalent executions, the 
swap renaming will also play an important role when we consider concurrent transitions (^. _ 

The following schematic derivation shows how the compact notation works. Suppose E : P > 

R takes place immediately under a v-binder, causing the scope of the binder to be extruded. Then 
suppose the resulting bound output propagates through another binder, giving the partial derivation on 
the left; 

_ 

. vP ■■ 

1/ • -=- 

vvP —^—> vR 


vE 


vP . T+k 


v^vE 


vvP ■ 


vR 


vvP ■ 


vR 


with E standing in for the rest of the derivation. The blue constructors annotating the left-hand side of 
the derivation tree can be thought of as a partially unrolled “transition term” representing the proof 
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The ■ placeholders associated with each constructor are conceptually filled by the transition terms 
annotating the premises of that step. We can “roll up” the derivation by a single step, by moving the 
premises into their corresponding placeholders, as shown in the middle figure. 

By repeating this process, we can write the whole derivation compactly as v^vE, as shown on the 
right. Thus the compact form is simply a flattened transition derivation: similar to a simply-typed 
lambda calculus term written as a conventional expression, in a (Church-style) setting where a term is, 
strictly speaking, a typing derivation. 


2.2.1 Residuals of transitions and renamings 

A transition survives any suitably-typed renaming. As alluded to already, this will be essential to 
formalising causal equivalence. First we define the (rather trivial) residual of a renaming p : F —> A 
after an action a : Action V. 

Definition 1 (Residual of p after a). 

def 

p/h = p + 1 

def 

plc = p 


The complementary residual a Ip is also defined and is simply the renamed action p* a defined earlier in 
^2.1.1| We use the latter notation. 

Lemma 9. Suppose E : P - - —> Q and p : V —> A, where F h P. Then there exists a transition El 

p-.p*P 


P D 


(pla) Q such that tgt(Elp) = pla Q. 

E 


(pla)* 


P*P > (pla)*Q 

Elp 


The proof is the obvious lifting of a renaming to a transition, and is given in Appendix [C| 

We would not expect P/p to be derivable for arbitrary p in all extensions of the /r-calculus. In 
particular, the mismatch operator [x ^ y]P that steps to P if x and y are distinct names is only stable 
under injective renamings. 


2.2.2 Structural congruences 

We believe our semantics to be closed under the usual rr-calculus congruences, but have not attempted 
to formalise this. The “braiding” congruence = introduced in 5 3.2.1 is in fact a standard ;T-calculus 
congruence, which we use to track changes in the relative position of binders under permutations 
of traces. This could be generalised to include more congruences, but at a corresponding cost in 
formalisation complexity. 


3 Concurrency and residuals 

We now use the compact notation for derivations to define a notion of concurrency for transitions with 
the same source state, following the work of Boudol and Castellani for CCS HI . Concurrent transitions 
are independent, or causally unordered: they can execute in either order without significant interference. 
Permutation of concurrent transitions induces a congruence on traces, which is the topic of ^ 
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3.1 Concurrent transitions 

Transitions P- - —> R and Q —-—> S are coinitial iff P = Q. We now define a symmetric and 

irreflexive relation ^ over coinitial transitions. If P ^ we say P and E' are concurrent. The relation 
is defined as the symmetric closure of the rules given in Figure again with trivial variants of the rules 
omitted. For the transition constructors of the form “IQ and which come in bound and non-bound 
variants, we abuse notation a little and write a single ^ rule quantified over a to mean that there are 
two separate (but otherwise identical) cases. 





E^E' 


E 

^E' 

E^ 

E' 

E^E' 

P|°P^E° 

'IQ E“| 

Q'^E'YyE 


P|°E 

-e\ie' 

E°| Q^ 

E'\IE P 

YE^E\IE' 

E- 

^E' 

E^ 

E' 


E^ 

E' 

E^E' 

E^E' 

E+0~~ 

-E'+Q 

P|°E^ 

P|°'/ 

-/ 

E°| Q^ 

E'°'\Q 

E\IE^ 

E'\IE' 

E^E' 

E^E' 

E^E' 

E- 

-E' 

E^E' 

E^E' 

E^E' 

E^E' 

E\IE~^ 

E'l\E' 

E\IE~~ 

-E'r 

1 V 

E' 

E\IE 

-e'i\e' 

E\IE 

^E'Y E' 

E^E' 

E^E' 

E^ 

E' 


E^E' 

E- 

-E' 

E^E' 

E\IE^ 

^ E'P E' 

•— \j\ • 

vE^ 

vE' 


vE-^v°E' 

v‘’E- 

- v^'e' 

\E^\E' 


Figure 2: Concurrent coinitial transitions (P + •, and some • • and • • variants omitted) 

The first rule, P | ° P ^ P “ | Q, says that two transitions P and P are concurrent if they take 
place on opposite sides of the same parallel composition. The remaining rules propagate concurrent 
sub-transitions up through v, choice, parallel composition, and replication. Note that there are no 
rules allowing us to conclude that a left-choice step is concurrent with a right-choice step: choices 
are mutually exclusive. Likewise, there are no rules allowing us to conclude that an input or output 
transition is concurrent with any other transition; since both P and E' are required to be coinitial, if 
one of them is an input or output step then they are equal and hence not concurrent. 

The P ly P ^ P^ IJ P^ rule says that a rendezvous is concurrent with another rendezvous under the 
same parallel composition, as long as the two inputs are concurrent on the left, and the two outputs 
are concurrent on the right. The P |y P ^ P^ P^ variant is similar, but permits concurrent input and 
output on the left, with their rendezvous partners concurrent on the right. The P | y P ^ P^ ^ | P^ rule 
and variants permit a regular rendezvous and an extrusion-rendezvous to be concurrent. 

3.2 Residuals of concurrent transitions 

Intuitively, if P ^ P^ then P and E' are “parallel moves” in the sense of Curry and Feys [j9|: if either 
execution step is taken, the other remains valid, and if both are taken, one ends up in (essentially) the 
same state, regardless of which step is taken first. 

However, concurrent transitions are not completely independent: the location and nature of the 
redex identified by one transition may change as a consequence of the earlier transition. This intuition 
is captured by the notion of the residual EjE', explored notably by Levy in the lambda calculus II16II . 
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and later considered by Stark for concurrent transition systems II25II and in the specific setting of CCS 
by Boudol and Castellani [[4|. The residual specifies how E must be adjusted to take into account the 
fact that E' has taken place. 

Definition 2 (Residual). Suppose E E'. Then the residual of E after E', written EjE', is given by 
the least function satisfying the equations in Figure]^ 

The operator ■/■ has higher precedence than any transition constructor. The definition makes use 
of the renaming lemmas in ^2.1.2[ and is rather tricky; Appendix |C.1| gives several examples which 
illustrate some of the subtleties that arise in the jr-calculus setting, in particular relating to name 
extrusion. 


(PrF)/(EnQ) = tgt(E)rF 
(PrE)/(E^|0) = tgt(E)rpush*E 
(E“|Q)/(PrE) = E“|tgt(E) 
(E“|0)/(P|^E) = push*E“|tgt(E) 
(E°|0)/(E'|JE) = (pop y)*(E/Er|tgt(E) 
(Pr F)I(E\IF') = (pop y)*tgt(E)rE/E' 
(E\lF)l(E'‘’\Q) = EIE'\lposh*F 
(E\IF)I(E'^\Q) = EIE'\IF 
(E\l F)I(P F') ^ posh*E\l FIE' 
(E\IF)I(P\^F') = E\IFIF' 

(E^l Q)I(E'\IF) ^ v^EIE'^\tgt(F)) 
(E^l Q)I(E'\IF) = t7(E/E'^+i<'>>| tgt(E)) 
(EH Q)I(E'\IF) = v^(E/E'P“^'^‘ntgt(E)) 
(PFE)/(E|;EO=v^(tgt(E)^E/EO 
(p r E)/(E r, F') =t7(tgt(E) fif') 
(P\^F)l(E\lF')=u^(tgt(E)r^*^FIF') 
{E\lF)l(E'‘’\Q) = EIE'\lposh*F 
{E\IF)I{E'^\Q)^EIE'\IF 
(E\l F)I(P\^-F') = push*E\l FIF' 
{E\lF)l{P\^F')^push*E\lFIF' 
(E\IF)I(P\^F')^E\IFIF' 
(E+Q)I(E'+Q) = FIE' 

(P1^ E)/(P 1^ F') = pushup 1^ FIF' 


(P1^ E)/(P 1^ F') = push*P I* FIF' 

(P1^E)/(P 1“ F') = push*P FIF' 

(P r E)/(P I* E') = push*P I" E/E' 
(P|“E)/(P|"E') = P|°E/E' 

(E'^l Q)/(E'^|Q) = E/E"^| push*C» 
(E^|Q)/(E'^| Q) = E/E'J]j)ush*C> 

(E'^l 0)/(E'“| Q) = E/E"'+^W| push*0 
(EnQ)/(E'^|Q) = E/E'npush*C» 
(E''|0)/(E'nO) = E/E'“|Q 
(E|JE)/(E'|JE') = (popz)*(E/E')|JE/E' 
(E|JE)/(E'|;E')= v^(E/E'|JE/E') 

(E i; E)/(E' \l F') = (pop z)*{EIE')\l FIF' 
(E\lF]l(E'\lF']=y^(EIE'\lFIF'] 
(yE)l(VE') = FIE' 

{vE)l{v‘’E') = t7swap*(E/E') 
(vE)l(v^E')^VEIE' 

(v‘'E)l(vE') = EIE' 
(v^E)l(vE')^EIE' 
{v^E)l{v^E')=vEIE' 

(v''E)l(v^E') = v" swap*(E/E') 
(v‘’E)l(v''E')= FIE' 

(y^E)l(y^E') = FIE' 

(!E)/(!E') = E/E' 


Figure 3: Residual of E after E', omitting • y| • and • • cases 


3.2.1 Cofinality of residuals 

The idea that one ends up in the same state regardless of whether E or E' is taken first is called 
cofinality. In CCS, where actions never involve binders, and in the lambda calculus, where binders do 
not move around, cofinality simply means the target states are equivalent. Things are not quite so 
simple in late-style ;T-calculus, because binders propagate during execution, as bound actions. Consider 
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the process x.P \ z.Q with two concurrent input actions. Initiating one of the inputs (say x) starts 
propagating a binder. As this binder passes through the parallel composition, the transition rules use 
push to “reserve” the free variable 0 in the right half of the process for potential use by a subsequent 
pop: 


■^z.Q 


rhx.p—^r + 1 hP 
r\-x.p\z.Q — ^ — >r + i hP| z + i .(push + i)*c) 


when the action ( z + 1) is performed, a push on the left leaves the final state with both 0 and 1 reserved: 

r + 1 hz + i.(push + i)*Q - ^ - > r + 2h(push + i)*Q 
r + 1 h P I z + 1 .(push + 1 )*(? > r + 2 I- push*P I (push + 1 )*(? 

Had these concurrent actions happened in the opposite order, the push on the left would have 
been applied first. The final state would be (push + ^)*P \ push*Q, which is the image of push*P | 
(push + 1 )*Q in the permutation swap which renames 0 to 1 and 1 to 0. Instead of the usual cofinality 
square, the final states are related by a “braid” (in the form of a swap) which permutes the free names: 


z + 1 

r + 1 hPiz+i.(push + i)*o^^^ r+2hpush*p| (push + i)*c) 

swap* 

rhx.PIz.Q r + 2l- swap*push*P | swap*(push + 1 )*Q 



r +1 h X +1 .(push +1 )*P I Q -> r + 2 h (push +1 )*P | push*Q 

x + 1 



Here a and ^ are equalities obtained from Lemma 

It is not just the reordering of bound actions which nuances rr-calculus cofinality. When two t 
actions are reordered, which happen to be extrusion rendezvous of distinct binders, the resulting binders 
exchange positions in the final process. In the standard ;T-calculus this would be subsumed by the 
congruence (vxy) P = (vyx) P. In the de Bruijn setting, where adjacent binders cannot be distinguished, 
the analogous rule is vvP = vv(swap*P), which applies a swap braid under the two binders. 

These two possibilities are subsumed by the following generalised notion of cofinality. First we 
define a braiding congruence = just large enough to permit swap under a pair of binders. “Cofinality” is 
then defined using a more general braiding relation which additionally permits swaps of free variables. 
Examples showing reordered extrusions are given in Appendix |C.l| including concurrent extrusions of 
the same binder, an interesting case identified by Cristescu et al. |l8|. 

Definition 3 (Braiding congruence). Inductively define the binary relation = over processes using the 
rules given in Figure 

In Figure]^ rule names are shown to the left in blue, permitting a compact term-like notation for = 
proofs similar to the convention we introduced earlier for transitions. The process constructors are 
overloaded to witness compatibility; transitivity is denoted by o. It is easy to see that = is also reflexive 
and symmetric, and therefore a congruence. P^ denotes the canonical proof that P = P. 

In what follows (f) and ip range over braiding congruences; src((f)) and tgt((f>) denote P and R, for 
any (p : P = R. As with transitions, braiding congruences are stable under renamings, giving rise to the 
usual notion of residuation; however pIp is always p. The proof is a straightforward induction. 
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P '^R 


R=S P=R 


w-swapp 


w(swap*P) = vvP 
P = R 

x{y).- 


x.P ^ x.R 


vv-swapp 

P = R 

x{y).P = x{y).R 
P = R 

V- - 

vP = vR 


vvP = vv(swap*P) 

P^R Q^S 
P+Q=R+S 

P = R 


■ + ■ 


I. 


!P= !R 


0 


P=S 0=0 

P=R Q^S 
''' P\Q = R\S 


Figure 4: Braiding congruence = 


Lemma 10. For any F F P, suppose (p : P —> Q and p : V —> A. Then there exists a braiding congruence 
<t>lp-.p*P^p*Q. 


P 

P 


P*P 




(pIp 


-0 

P 

>P*Q 


Definition 4 (Braiding). For any A G {0,1,2} define the following family of bijective renamings 
braidf.A : T + A —> F + A and symmetric braiding relations ixi r,A over processes in F + A. 


braidf o = idr • F —> F 

braidrj = idr +1 : F + 1 — >^ + ^ P n r,A F" braidr,A*P = P' 

braidr ,2 = swapp : F + 2 — > F + 2 


Our key soundness result is that residuals of concurrent transitions E and E' are always cofinal 
up to a braiding of type N r,A where A G {0,1,2} is the number of free variables introduced by E and 
E'IE. Rather than the usual parallel-moves square on the left, the residuals satisfy pentagons of the 
form shown in the centre of Figure]^ where y : Q Xp.A is a braiding. 



R' r'hP'-^r+Ai-o' 

EIE' 

Figure 5: Cofinality in the style of CCS (left); with explicit braiding (right) 


Arranging for this to hold by construction introduces a certain amount of complexity, so we prove 
cofinality as a separate theorem. 
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Theorem 1 (Cofinality of residuals). Suppose E and E' are the transitions on the right o/fi^urej^ with 
E ^ E'. Then there exists cofin^ e' '■ Q a Q'- 

The notion of concurrency extends into dimensions greater than two. Following Pratt’s higher¬ 
dimensional automata ||23||. we can consider a proof y ■ ^ E' as a surface that represents the 
concurrency of E and E' without committing to an order of occurrence. Every such y ■ ^ E' has 
a two-dimensional residual with respect to a third concurrent transition E". First we note that 
concurrent transitions are closed under renamings. 

Lemma 11. Suppose p : E —> A and E, E' are both transitions from E h P, withy ’■ E E'. Then there 

existsxip ■ Elp'-- E'Ip. 

Proof. By induction on y, using Lemma|^ □ 

Theorem 2 (Residuation preserves concurrency). 

Suppose X :E^E' with E ^ E" and E' ^ E". Then there exists yIE" : EIE" ^ EfE". 


Proof. By induction on y and inversion on the other two derivations, using Lemma 


11 


Theorem 3. Suppose y . E E', with E'E" and E" E. Then: 


□ 


((E'IE") I (EIE")) I cofin = (E'IE)I(E" IE) 

The diagram below illustrates Theorems[^and|^informally. The three faces y, y' and y" with P as 
a vertex witness the pairwise concurrency of E, E' and E". Theorem|^ensures that these have opposite 
faces ylE", y'lE and y" IE'. Theorem [^states that, up to a suitable braiding, there is a unique residual 
of a one-dimensional transition after a concurrent two-dimensional one, connecting the faces y'IE and 
x"IE' via the shared edge E"ly. Analogous reasoning for Ely' and E'Iy" yields a cubical transition 
with target 


P 


E' 


^ R 


// 


R 



E"IE 


E"IE 


R' 


> Si 




S2 -^ P' 


The bold font for Si, S 2 , S 3 and indicates that they represent not a unique process but a 
permutation group of processes related by braidings. At P^ there are potentially 3! = 6 variants of the 
target process, one for each possible interleaving of E, E' and E". The notation E"ly is again informal, 
referring not to a unique transition but to a permutation group related by braidings. 
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4 Causal equivalence 

4.1 Traces 

Define Action* V to be the set of finite sequences of composable actions starting at V. The empty 
sequence at V is written []; extension to the left is written a ..a. A trace t : P — - —> R is a finite 
sequence of composable transitions with initial state src(f) = P and final state tgt(t) = R. The empty 
trace at P is written []p; extension to the left of t: R -> Shy E : P -> R is written E :: t. 


4.2 Residuals of traces and braidings 


To define the residual of a trace t with respect to a braiding y, we first observe that a braiding congruence 

(f): P = P' commutes (on the nose) with a transition E : P - - —> Q, inducing the corresponding notions 

of residual (j)IE (the image of the braiding congruence in the transition) and Elcp (the image of the 
transition in the braiding congruence). 


Theorem 4. Suppose E : P - 

(p : P' -> R' and structural congruence (pjE : R = R'. 

E 


R and (p : P = P'. Then there exists a process R', transition El 


R 


cl>IE 


P' 


El<j) 


R' 


Proof. By the defining equations in Figure 

Unlike residuals of the form EjE', the cofinality of E/cp and (plE is by construction. Appendix |C.2| 
illustrates cofinality for the cases where (p is of the form yy-swapp. 

To extend this notion of residuation from braiding congruences to braidings requires a more general 
notion of braiding which permits the renaming component of the braiding to be shifted under a 
binder. First recall (from Definition that any braiding Y ■ P P' is of the form (^obraidr,A> 
where braidp.A : T + A —> F + A is the renaming id or swap, as determined by A G {0,1,2}, and (p 
is a braiding congruence. We omit the F, A subscripts whenever possible. The more general form of 
braiding allows the braid and (p components to be translated by an arbitrary context A^ 

Definition 5 (A-shifted braiding). For any context A define 

P xf P' ^ (braidr,A' + A)*P ^ P' 

Now we define the residual of a transition P : F F P —-—> F + A F P, where A G {0,1}, and 
coinitial braiding y and show that the residual yjE is y shifted by A. 

Definition 6 (Residuals of transitions and braidings). For any transition E : P - - —> R and braiding 

y : P P' with y = (poa, define Ely and yjE by the following equations. 


E/(0off) = (E/a)/0 {<poa)IE = {<pi{Ela))oala 


Cofinality is immediate by composing the square obtained by applying Lemma to E and o with the 
square obtained from Theorem]^ above to cp and E/a. Closure of (A-shifted) braidings under residuation 
follows from the fact that oja = O’ -F A^ for some A' G {0,1}. 
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El^ 


<t>IE 


= v^V(swap*E) 

w-swap5|.j.j£j/(\/^T7E) = ■i7\/^^^^*’^(swap*E) 
vv-swap 5 ^(.j£j/(v'^ E) = v’^v’^ (swap*E) 
w-swap 5 |.j,(£j/(v^\/* E) = (swap*E) 
(x.P)/(x.0) = x.tgt(0) 
(x(y).P)/(x(y).0) = x(y).tgt(0) 
(E+Q)/(0+ <//) = E/0+ tgt((//) 
(E^|Q)/(0 + 0) = E/0^|tgt(0) 
(EnQ )/(0 + 0 ) = E/ 0 ntgt( 0 ) 
(P|^E)/(0 + 0) = tgt(0)|^E/0 
(PrE)/(0 + 0) = tgt(0)rE/0 
(E|JE)/(0|0) = E/0|JE/0 
(Er.E)/( 0 | 0 ) = E/ 0 |;E /0 
(VE)/(v0)= vE/0 
{v‘’E)l{vcP)=v‘’Elc^ 
(v^E)/(v 0 )= v^E /0 
(!E)/(!0)=!E/(0|!0) 
E/(0'o0) = (E/0)/0' 


vv-swap,^,,^)/(Vv^+^W£) 

vv-swap3^,(^)/(v^Y^) 
vv-swap3^,,f)/(v"v" E) 
vv-swap,,^(fr)/(vV'' E) 
(x.0)/(x.P) 
(x(y).0)/(x(y).P) 
(0 + 0)/(E+Q) 

(0 + <A)/(f''|(?) 
(0 + <A)/(fnO) 

(0+0)/(P|''E) 
(0 + 0 )/(PrE) 
(0l<A)/(f|5O 
(0l<A)/(fi:O 

(v0)/(VE) 

(v0)/(v''E) 

(v0)/(v^E) 

mim 

(0'o0)/E 


vtgt(E), 

V swap*tgt(E)^ 
vv-swap(^j,^) 

'"'"-swap^^.p* 

(swap+1 )*swap*tgt(E) 

0 

0 

(plE 

(plE I push*0 
0/E|0 
push*0 I 0/E 
0I0/E 
(pop y)*0/E 
v(0/E I 0/E) 

4>IE 

y swap*0/E 

v(^IE 

(0|!0)/E 

(07(e/0))o0/e 


Figure 6: Residual of transition E and coinitial braiding congruence 0 


P 


E 


R 


(a + A)*P 

0 


E/(ff+A) 


ju+A' 

(ff + A')*P 

|0/(E/(ff + A)) 


(E/(ff + A))/0 


P' 


where both El(a + A) and {El{a + /\))l(f) have the action ((T +A)*o. 

Finally, we extend the definition to traces. 

Definition 7 (Residuals of action sequences and renamings). 

Suppose p : F —> A and o : Action* F. Define the residuals p/o and alp, writing the latter as p*o. 

p/[]r = p pl(a ::d) = (pla)ld 

p*[]r = []a P*(o :: a) = {p*a) :: (p/o)*o 


Lemma 12 (Residuals of traces and braidings). 

Suppose t: P —-—> R and y=0o(T:P><^PF Then there exists a process R', trace P' ———> R' and 
braiding yjt. R Vi R'. 


y 


P' 


tiv 


vlt 


> R' 
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Proof. By the following defining equations. 


P 

y 


D 


p 

y/D 


p' 


[]lv 


P' 


P 

V 

P' 


E 


Ely 


yIE 


S 

{ylE)lt 


tl(ylE) 


S' 


\]ply = \]p’ (E::t)ly = (Ely)::tl(ylE) 

Y/[]p = Y yl(E::t) = {ylE)lt 


4.3 Causal equivalence 

We now define causal equivalence, the congruence over traces induced by the notion of transition 
residual from ^3.2| A causal equivalence a . t u witnesses the reordering of one trace t into a 
coinitial trace u by the permutation of concurrent transitions. Meta-variables o, ^ range over causal 
equivalences. 

Definition 8. Inductively define the relation ~ given by the rules in Figure where syntactically c; 
has lower priority than ■ If a : t c; u then src(a) and tgt(Q') denote t and u respectively. 



Op 


Op-Op 


E:P 


R t'^u 


src(t) = R 


f^u t^f 


E : : t ce E : : u 

E : P - - —> R E' :P —~> R' t ~ u 

“ E :: E'lE :: t E ':: EIE' :: t//cofin£,p ' 


t a u 


E^E' 


Figure 7: Causal equivalence 

The []p and E :: a rules are the congruence cases. The oo^ rule closes under transitivity, which 
is a form of vertical composition. The transposition rule (E E') :: a extends an existing causal 
equivalence a.t'^u with the two possible interleavings of concurrent steps E ^ E'. What is interesting 
about this rule is that the trace u must be transported through the braiding cofin£ p witnessing the 
cofinality of E and E', in order to obtain a trace ty/cofin£ p composable with E'IE. The following 
diagram illustrates. 



R' -► Q' -> S" 

EIE' u/cofin£,£' 
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As the diagram suggests, the transposition rule causes braidings to compose vertically. Here, cofin„ 
is a composite braiding relating S to S', which is extended by the braiding cofin£ £'/u to relate S to S". 
We leave formalising this aspect of causal equivalence to future work. 

Theorem 5. ci is an equivalence relation. 

Proof. Reflexivity is a trivial induction, using the []p and E : : a rules. Transitivity is immediate from the 
ao ^ rule. Symmetry is trivial in the []p, E :: a and ao ^ cases. The (E E') :: a case requires the 
symmetry of ^ and that (tj/cofin„)/cofin~^ = u, where u = tgt(a). 

5 Related work 

Hirschkoff’s ps calculus II14II has a similar treatment of de Bruijn indices. Its renaming operators (x), (p 
and ip are effectively our pop x, push and swap renamings, but fused with the ■* operator which applies 
a renaming to a process. Hirschkoff’s operators are also syntactic forms in the ps calculus, rather than 
meta-operations, and therefore the operational semantics also includes rules for reducing occurrences 
of the renaming operators that arise during a process reduction step. 

Formalisations of the jr-calculus have been undertaken in several theorem provers used for mecha¬ 
nised metatheory. Due to space limits, we limit attention to closely-related formalisation techniques 
based on constructive logics. 

Coq. Hirschkoff II13II formalised the ;T-calculus in Coq using de Bruijn indices, and verified 
properties such as congruence and structural equivalence laws of bisimulation. Despeyroux Ill2ll 
formalised the jr-calculus in Coq using weak higher-order abstract syntax, assuming a decidable type of 
names, and using two separate transitions, for ordinary, input and output transitions respectively; for 
input and output transitions the right-hand side is a function of type name —> proc. This formalisation 
included a simple type system and proof of type soundness. Honsell, Miculan and Scagnetto II 1511 
formalised the jr-calculus in Coq, also using weak higher-order abstract syntax. The type of names name 
is a type parameter assumed to admit decidable equality and freshness (notin) relations. Transitions 
are encoded using two inductive definitions, for free and bound actions, which differ in the type of the 
third argument (proc vs. name —> proc). Numerous results from Milner, Parrow and Walker II19II are 
verified, using the theory of contexts (whose axioms are assumed in their formalisation, but have been 
validated semantically). 

CLF. Cervesato, Pfenning, Walker and Watkins |6] formalise synchronous and asynchronous 
versions of ;T-calculus in the Concurrent Logical Framework (CLF). CLF employs higher-order abstract 
syntax, linearity and a monadic encapsulation of certain linear constructs that can identify objects such 
as traces up to causal equivalence. Thus, CLF’s jr-calculus encodings naturally induce equivalences on 
traces. However, a nontrivial effort appears necessary to compare CLF’s notion of trace equivalence 
with others (including ours) due to the distinctive approach taken in CLF. 

Agda. Orchard and Yoshida 112111 present a translation from a functional language with effects to a 
TT-calculus with session types and verify some type-preservation properties of the translation in Agda. 

6 Conclusions and future work 

To the best of our knowledge, we are the first to report on a formalisation of the operational behavior of 
the ;T-calculus in Agda. Compared to prior formalisations, ours is distinctive in two ways. 

First, our formalisation employs an indexed family of types for process terms and uses the indices 
instead of binding to deal with scope extrusion. Formalisations of lambda-calculi often employ this 
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technique, but to our knowledge only Orchard and Yoshida report a similar approach for a ;T-calculus 
formalisation. This choice helps tame the complexity of de Bruijn indices, because many invariants are 
automatically checked by the type system rather than requiring additional explicit reasoning. 

Second, our work appears to be the first to align the notion of “proved transitions” from Boudol and 
Castellani’s work on CCS with “transition proofs” in the ;T-calculus. This hinges on the capability to 
manipulate and perform induction or recursion over derivations, and means we can leverage dependent 
typing so that residuation is defined only for concurrent transitions, rather than on all pairs of transitions. 
It is worth noting that while CLF’s approach to encoding ;T-calculus automatically yields an equivalence 
on traces, it is unclear (at least to us) whether this equivalence is the same as the one we propose, or 
whether such traces can be manipulated explicitly as proof objects if desired. 

In future work we may explore trace structures explicitly quotiented by causal equivalence, such 
as dependence graphs II17II or event structures |4|. We are also interested in extending braiding 
congruence to the full ;7r-calculus structural congruence, and in understanding whether and how ideas 
from homotopy type theory ||24|| . such as quotients or higher inductive types, could be applied to ease 
reasoning about or correct programming with jr-calculus terms (modulo structural congruence) or 
traces (modulo causal equivalence). 
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A Agda module structure 

Figure [^summarises the module structure of the Agda formalisation. 


Utilities 

Common 

SharedModules 


Useful definitions not found in the Agda standard library 
Common imports from standard library 


Core modules 
Action 

Action.Concur 

Action.Concur.Action 

Action.Seq 
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Proc 

Ren 

StructuralCong.Proc 

StructuralCong.Transition 

T ransition 

Transition.Concur 

Transition.Concur.Cofinat 

Transition.Concur.Cofinat.Transition 

Transition.Concur.Transition 

T ransition.Seq 

Transition.Seq.Cofinal 


Actions a 

Concurrent actions a ^ a'-, residuals a I a' 

Residual of o o' after a" 

Action sequences a 
Contexts F; names x 
Processes P 
Renamings p : F —> F' 

Braiding congruence relation cp : P = P' 

Residuals E/0 and 0/E 

Transitions E : P - > R 

Concurrent transitions : E E'-, residuals E/E' 

Cofinality braidings y 

Residuals E/y and y/E 

Residual xl E 

Transition sequences 

Residuals t/y and y/t; permutation equivalence a . t u 


Typical sub-modules 
. Properties 
. Ren 


Additional properties relating to X 
Renaming lifted to X 


Figure 8; Module overview 


B Renaming lemmas 

Each lemma asserts the commutativity of the diagram on the left; when a string diagram is also provided, 
it should be interpreted as an informal proof sketch. 


Lemma [ll 



Lemma 1^ 
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pushr +1 

r + 1-► r + 2 


poPr+1 0 

r + 1 


push +1 

r + 1-> r + 2 


pop 0 



r+1 

0 F- 

1 ^ 
2 + 


id 


r + 1 
0 
1 
2 


Lemma |3j 


swapp +1 

r + 3 -> r + 3 

swapp^^ + \ swapp^-] 


swapp + 1 swapp^i swapp + 1 

r + 3 ^ r + 3 ^ r + 3 ^ r +3 



r + 3 

swapp +1 


r + 3 


swapp+1 


r + 3 


r + 3 

swapp +1 


swapp^l swapp +1 swapp^^ 

r + 3 ^ r + 3 ^ r + 3 ^ r + 3 



Lemma m 


r + 2 : 


swap 


id 


r + 2 P°P^"°> r + i 


swap 


pop 0 

r + 2-> r + 1 



pop 0 

r + 2-> r + 1 



Lemma |5j 


pushp +1 

r + 1-► r + 2 


swap 


r + 2 


pushp,^ swapp 

r + 1-> r + 2-> r + 2 



pushp +1 swapp 

r + 1-> r + 2-> r + 2 



pushp +1 

r + 1-> r + 2 


0 h 
1 


pushp 1 

r + 1-> r + 2 



Lemmas and 


pushp popr ^ 

r-> r + 1-»r 


A 


push^ 


P + 1 
A + 1 — 


POPA P>‘ 


•A 


r + 2 
P + 2 
A + 2 


swapp 


swap^ 


•r + 2 
P + 2 
■A + 2 
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Proof-relevant n-calculus 


C Additional proofs 


Proof of Lemmaj^ By the following mutually recursive proofs-by-induction on the derivations. The 
various renaming lemmas needed to enable the induction hypothesis in each case are omitted. 

p*E^ p*E^ 


p*{x{y).P) = px{py).p*P 
p*(E+F) = p*E + p*F 
p*(P\<^F) = p*Pf^p*F 
p*{E^\Q)^p*EP*^\p*Q 
p*(E\lF)^ p*E\J,>.yp*F 
p*(E\lF) = p*E\lp*F 
p^v^E)^vP*^{p + ^rE 
p*{\E)^\p*E 


p*(x.P) = px.(p + ^)*P 
p*{E+F)^p*E + p*F 
p^p\bF) = p*pfbp*F 
p*{E‘’\Q)^p*EP*‘’\p*Q 
p*{vE)^v{p + ^rE 
p*{v‘’E)^vP*‘’{p + ^rE 
p*{\E)^\p*E 


C.l Additional illustrative cases of Theorem[T] 

Example: permuting concurrent extrusions (different binders). First, note that the residuals of 
bound output transitions are not themselves necessarily bound. More specifically, the residuals of the 
output transition on x with the output on z is bound only if the outputs represent extrusions of different 
v-binders. In this section we consider only the case when the concurrent extrusions are of different 
y-binders. 

In this case, each binder is unaffected by the extrusion of the other, and the residuals remain bound 
outputs, shifted into F + 1 as usual. The general form of such residuals is: 


F’‘ 

FhO 

F'* 


{F'IFP+'' 

r + 1 hS- >V + 2 hQ' 

swap* 

r + 2 h swap*Q' 


r + 1 h S'-= r + 21- Q" 


(F/F') 




where (p ranges over braiding congruence. Then the residual is able to handle the inner extrusion, with 
the resulting t action again propagated through the outer binder: 


E 


F___ 

rro 


ri-p—s— >R 
rFP|(?- 


v(R IS) 


s 
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v^E'IE\lF'IF) 

r h v{R I S) -> r h i/i/(swap*P' I swap*Q') 


E\iy 
rhP| (? 


E'llF' 


i/i/-swapp/|Q, 

r h vv(P' I Q') 

vv{4> I (/() 


r h i/(P' I S')-> r h i/i/(P" I Q") 

C[EIE'\IFIF'] 


Example: permuting concurrent extrusions (same binder). Consider the process v(x + 1 (0).P | 
z + 1 (0).Q), as described in Cristescu et al. |I8||. There are two concurrent outputs, both of which try to 
extrude the top-level binder. Suppose we take the x -|-1 (0) action first; 

I TTT(0).P P 

r-r 11-T+T(o).p I T+T(o).(? r-h 11-p I JTT(o).(? 

(/• -^- 

r h i/(x-M(0).P I z-M {0).Q) —^ r-h 1 h P I z-M {0).Q 

If we then take the z -|-1 (0) action, the enclosing v-binder no longer exists, and so z -|-1 (0) simply 
propagates as a non-bound action. 

P . r + ih^(o).Q^±l^r + ihQ 

r-i-1 hPi JTT(o).(?^i^r-M i-P| t? 

Example: permuting one extrusion-rendezvous with another. Now consider what happens 
when the extrusions from the previous example eventually rendezvous with a compatible input. 


E|;F:rhP| Q- C^rEv{R\S) 

E'\lF':rEP\Q—^rEv{R'\S') 





HP->r-r2i-p' 

swap* 

r -I- 2 h swap*P' 

<P 


^ + ^ hP'-?r-r2i-p" 

(EIE'Y-±^ 

When the extrusions are of the same v-binder, and the residual outputs are not bound, then we have: 


(P'/P)‘'+ho) 

r-ri hs- + ^ \-q' 



r-ri hs'- r + ^\- q" 

(P/P')''+ho) 
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Proof-relevant n-calculus 


and the residual of one extrusion-handling after another is a plain communication, with the resulting t 
action simply propagated through the second v binder: 


v^E'|E\lF'|F) 

r\-v(R\ S) - - -► r h i/((pop 0)*swap*P' I O') 


E\iy 

rhPio 

E'll^ 


v{a I O') 
r h u((pop 0)*P' I O') 

i/((pop 0)> I 0) 


r h v{R' I S')-> r h i/((pop o)*p" I Q") 

v^EIE'foFIF') 


Here a is the equality (pop 0) oswap 


pop 0 (Lemma|^ applied to 


P'. 


Example: permuting bound actions propagating through a binder. Now suppose we have a 
process of the form vP which has two concurrent transitions propagating an input action through the 
V binder; 


r-n hP - ^ - > r-h2hP „ r-nhP - ^ - > r-h2hP' 

- !/-■ - - -- -- 

r h i/P —^—> r -h 11 - i/(swap*P) r h i/P —^—> ^ + ^\- i/(swap*p') 

(The derivations are valid because both x -|-1 and z-\-^ are of the form push*h.) The residuals of E and 
E' with respect to each other have the form: 


r-p 2 i-p 



r-p 2 i-p' 


iE'lE)'^ 

-> p _l_ 3 l_ p' 

swap* 

F-l- 3 h swap*P' 


(p/p.)X±2 


r + 3\-p” 


We can use these residuals to define the following composite residual (v-E')l(v-E): 

E'lE^ - h -- 

^ r + 2hR - ^ - > r-r3hP' 

swap • --- 

r + 2\- swap*P > r -I- 3 h (swap -h 1 )*P' 

V ■ --- -- 

r -I-1 h i'(swap*P) — > r -r 2 h i'(swap*(swap -|-1 )*P') 

noting that swap*(ujp2) = u -\-2 by Lemma|^ The complementary residual (v-E)l(v-E') is similar, 
with X instead of u and R' instead of R. It remains to show that the terminal states are swap-congruent: 


swap* v(swap*(swap -|- 1 )*P') 

= v((swap -|- 1 )*swap*(swap -|- 1 )*P') 
= v(swap*(swap-|-1)*swap*P') 

= v(swap*(swap-|-1 )*P") 


(definition of •*) 
(Lemmaj^ 
(v(swap*(swap -|- 1 )*0)) 
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Example: permuting extruding rendezvous and unhandled extrusion. Of course concurrent 
transitions are not always as symmetric as the ones we have seen. Here a name extrusion which has a 
successful rendezvous, resulting in a t action, is concurrent with another which does not and which 
therefore propagates as a hound output: 


P|"F: rh P I 0 —> r + 1 h push*P I s 

E\lF'-.r^P\Q—^r^v(R\S') 

As before, it matters whether the extrusions ^ F^‘' are of the same or different binders. 

Sub-case: extrusions of same binders. In this case, the residuals F' IF and F IF' become sends of index 
0 , the binder being extruded. 


r 


■ lo ■ 


push*- 


_ ^ fhP—^r + 1 ^_ 

r + i hpush*p - ^ - > r + 2 h(push + i)*p r + i hs^^i^r + i \-q' 

r + i i-push*P|s—^— >r + i i-(pop o)*(push + i)*P| Q' 


For the other residual, we can derive: 


V- 




n- 


FIF' -=-- 

r +11- s' r +1 h 0" 

r +1 h p I S' r +1 h p I 0 " 

v{R\S') —5_^r + 1 \-R\Q" 


with Q' = Q", and noting that pop 0 retracts push + 1 (Lemmaj^below). 

Sub-case: extrusions of dijferent binders. In this case the residuals F'IF and FIF' remain bound 
outputs. Then, with the push*F derivation as before, we can derive: 


push*E|J- 


F'lF -^- 

r + 1 hs - ''+^ - > r + 2hQ' 
r + i i-push*P|s—^—>r + i h i/((push + i)*P| Q') 


and for the other residual: 


FIF'- 

P|^._ - 

r + 1 h p 
r h i/(P I S') —^ 


r +1 h S' > r + 2 h 0" 

I S' > r + 2 h push*P I Q" 

> r + 1 h i'(swap*push*P | swap*(}") 


with swap*Q^ = Q". It remains to establish a =-path between the two terminal processes. We have 
Q' = swap*Q" by functionality and involutivity of swap, and push + 1 = swap o push by Lemmaj^and 
then the rest follows by reflexivity and congruence. 
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Proof-relevant n-calculus 


C.2 Cofinality for Theorem]^ 


T7w*+1(0) P 

r h i/i/(swap*P) -► r + 1 h i/P r h i/i/(swap*P) 


E 


vu-swapp 

r h vvP - 

r h i/v(swap*P) 
i/i/-swapp 

r\-vvP 


i/i/-swapp 


v' i/(swap*E) 

\PVE 


r + 1 h i/P 


r h vvP 


^^j^>r+l(0)(swap*£) 


r + 1 h i/(swap*P) r h i/i/(swap*P) 
i/i/-swapp 

r + 1 h i/(swap*P) r h i/i/P 


(swap*E) 
v‘’v‘’'E 


r h vvR 

-1 

i/i/-swapp 
r h v\/(swap*P) 


(swap*E) 


r + 1 h i/i/((swap + 1) swap*P) 




r + 1 h i/\/(swap*(swap + 1 )*swap*P) 


Figure 9: Cofinality of 0/E and E/0 in the uu-swap cases 


Figure [^illustrates cofinality for the i/i/-swap cases, omitting the renaming lemmas used as type-level 
coercions. The yy-swap~^ cases are symmetric. 




















